DorianNiemiecSVRJS/svrjs
Archived
1
0
Fork 0
forked from svrjs/svrjs
Code Pull requests Activity

Update to SVR.JS 3.9.2

Browse source
This commit is contained in:
Dorian Niemiec 2023-09-06 20:23:53 +02:00
parent 10ee128136
commit 9406ffda5f
4 changed files with 23 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
index.html
View file

@ -1,7 +1,7 @@
<!DOCTYPE html>
<html>
<head>
<title>SVR.JS 3.9.1</title>
<title>SVR.JS 3.9.2</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta charset="UTF-8" />
<style>
@ -12,7 +12,7 @@
</style>
</head>
<body>
<h1>Welcome to SVR.JS 3.9.1</h1>
<h1>Welcome to SVR.JS 3.9.2</h1>
<br/>
<img src="/logo.png" style="width: 256px;" />
<br/>
@ -117,7 +117,7 @@
</div>
<p>Changes:</p>
<ul>
<li>Added new config.json property - exposeModsInErrorPages</li>
<li>Mitigated security vulnerability: SVR.JS mods and server-side JavaScript using req.url are no longer vulnerable to path traversal (not including query strings).</li>
</ul>
<p>Bugs:</p>
<ul>

8
licenses/index.html
View file

@ -1,7 +1,7 @@
<!DOCTYPE html>
<html>
<head>
<title>SVR.JS 3.9.1 Licenses</title>
<title>SVR.JS 3.9.2 Licenses</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta charset="UTF-8" />
<style>
@ -12,8 +12,8 @@
</style>
</head>
<body>
<h1>SVR.JS 3.9.1 Licenses</h1>
<h2>SVR.JS 3.9.1</h2>
<h1>SVR.JS 3.9.2 Licenses</h1>
<h2>SVR.JS 3.9.2</h2>
<div style="display: inline-block; text-align: left; border-width: 2px; border-style: solid; border-color: gray; padding: 8px;">
MIT License<br/>
<br/>
@ -37,7 +37,7 @@
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE<br/>
SOFTWARE.<br/>
</div>
<h2>Packages used by SVR.JS 3.9.1 and utilities</h2>
<h2>Packages used by SVR.JS 3.9.2 and utilities</h2>
<div style="width: 100%; background-color: #ccc; border: 1px solid green; text-align: left; margin: 10px 0;">
<div style="float: right;">License: MIT</div>
<div style="font-size: 20px;">

15
svr.js
View file

@ -81,7 +81,7 @@ function deleteFolderRecursive(path) {
}
var os = require("os");
var version = "3.9.1";
var version = "3.9.2";
var singlethreaded = false;
if (process.versions) process.versions.svrjs = version; // Inject SVR.JS into process.versions
@ -4043,6 +4043,7 @@ if (!cluster.isPrimary) {
// Sanitize URL
var sanitizedHref = sanitizeURL(href);
var preparedReqUrl = uobject.pathname + (uobject.search ? uobject.search : "") + (uobject.hash ? uobject.hash : "");
// Check if URL is "dirty"
if (href != sanitizedHref && !isProxy) {
@ -4076,6 +4077,14 @@ if (!cluster.isPrimary) {
redirect(sanitizedURL, false);
return;
}
} else if(req.url != preparedReqUrl && !isProxy) {
serverconsole.resmessage("URL sanitized: " + req.url + " => " + preparedReqUrl);
if(rewriteDirtyURLs) {
req.url = preparedReqUrl;
} else {
redirect(preparedReqUrl, false);
return;
}
}
// Handle redirects to HTTPS
@ -4206,7 +4215,9 @@ if (!cluster.isPrimary) {
}
var sHref = sanitizeURL(href);
if (sHref != href.replace(/\/\.(?=\/|$)/g, "/").replace(/\/+/g, "/")) {
var preparedReqUrl2 = uobject.pathname + (uobject.search ? uobject.search : "") + (uobject.hash ? uobject.hash : "");
if (req.url != preparedReqUrl2 || sHref != href.replace(/\/\.(?=\/|$)/g, "/").replace(/\/+/g, "/")) {
callServerError(403);
serverconsole.errmessage("Content blocked.");
return;

4
tests.html
View file

@ -1,7 +1,7 @@
<!DOCTYPE html>
<html>
<head>
<title>SVR.JS 3.9.1 Tests</title>
<title>SVR.JS 3.9.2 Tests</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta charset="UTF-8" />
<style>
@ -12,7 +12,7 @@
</style>
</head>
<body>
<h1>SVR.JS 3.9.1 Tests</h1>
<h1>SVR.JS 3.9.2 Tests</h1>
<h2>Directory</h2>
<iframe src="/testdir" width="50%" height="300px"></iframe>
<h2>Directory (with query)</h2>